By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I configure Amazon Route 53 to resolve DNS records from a private hosted zone in an AWS VPN setup involving multiple accounts?

0

In my setup, I have a Virtual Private Cloud (VPC) within my AWS account A, which is peered with another VPC in account B. Account A has the VPN endpoint configured, while Account B hosts a private hosted domain (e.g., domain.com) in Route53.

However, I'm encountering an issue when running an AWS Client VPN on my personal machine. Specifically, I'm unable to resolve the DNS record foo.bar.domain.com to the correct private IP address through the VPN. Consequently, any attempts to run a development server on my machine, connected to the partner VPC's URLs, are failing.

I've attempted to address this issue by setting the VPN endpoint in Account A to use the IP address +2 of the VPC in Account B, but this approach hasn't yielded positive results.

I also experimented with creating a private hosted domain in Account A and configuring the DNS IP to point to the VPC in Account A within the VPN endpoint. While this works for Account A's private hosted domain, it fails when I change the DNS IP to point to the VPC in Account B.

I would greatly appreciate your assistance in resolving this matter.

Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content DeliveryAmazon Route 53AWS Client VPN
Language
English
Sam
asked 7 months ago677 views
2 Answers
2

Hi, To configure Amazon Route 53 to resolve DNS records from a private hosted zone in an AWS VPN configuration involving several accounts, follow these steps:

  • In Account B, where the private hosted zone is created, use the AWS CLI, SDK, or API to approve the association of the VPC in Account A with the private hosted zone. To do this, use the create-vpc-association-authorization command or the CreateVPCAssociationAuthorization action.
  • In Account A, where the VPN endpoint is configured, use the AWS CLI, SDK, or API to associate the VPC with the private hosted zone. To do this, use the associate-vpc-with-hosted-zone command or the AssociateVPCWithHostedZone action.
  • Configure the VPN endpoint in Account A to utilize the DNS IP address of the VPC in Account B as a custom DNS server. This enables VPN clients to resolve DNS entries from Account B's private hosted zone.
  • After the association is complete, remove the authorisation to associate the VPC with the private hosted zone in Account B. This will prevent the VPC from being associated with the private hosted zone in the future. To do this, use the delete-vpc-association-authorization command or the DeleteVPCAssociationAuthorization action.

You can visit these resources for better clarity: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html https://aws.amazon.com/blogs/architecture/using-route-53-private-hosted-zones-for-cross-account-multi-region-architectures/

profile picture
Soumyadeep Mandal
answered 7 months ago
  • Sam
    7 months ago

    Thanks for the information. I have four AWS accounts with private hosted zone. The question is what DNS IP address do I configure on the VPN endpoint?

1

Configure your vpn client dns server to be the VPC CIDR +.2 so that you are using your vpns vpc of which your client endpoints connect.

Then on each peering connection ensure cross peering DNS resolution is enabled. (Used for aws dns names like rds instances if needed)

Then for each private hosted zone in each account you want to resolve, you have to associate the phz to the vpn vpc.

https://repost.aws/knowledge-center/route53-private-hosted-zone

profile picture
EXPERT
Gary Mclean
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content